Esc

Security Software Discovery - T1518.001

(ATT&CK® Technique)

Definition

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1518001["Security Software Discovery"] --> |may-access| KernelProcessTable["Kernel Process Table"]; class T1518001 OffensiveTechniqueNode;
        class KernelProcessTable ArtifactNode; click KernelProcessTable href "../../../dao/artifact/d3f:KernelProcessTable";
        click T1518001 href "../../../offensive-technique/attack/T1518.001/"; click KernelProcessTable href "../../../dao/artifact/d3f:KernelProcessTable"; T1518001["Security Software Discovery"] --> |may-access| FileSystemMetadata["File System Metadata"]; class T1518001 OffensiveTechniqueNode;
        class FileSystemMetadata ArtifactNode; click FileSystemMetadata href "../../../dao/artifact/d3f:FileSystemMetadata";
        click T1518001 href "../../../offensive-technique/attack/T1518.001/"; click FileSystemMetadata href "../../../dao/artifact/d3f:FileSystemMetadata"; T1518001["Security Software Discovery"] --> |may-invoke| GetRunningProcesses["Get Running Processes"]; class T1518001 OffensiveTechniqueNode;
        class GetRunningProcesses ArtifactNode; click GetRunningProcesses href "../../../dao/artifact/d3f:GetRunningProcesses";
        click T1518001 href "../../../offensive-technique/attack/T1518.001/"; click GetRunningProcesses href "../../../dao/artifact/d3f:GetRunningProcesses"; T1518001["Security Software Discovery"] --> |may-access| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1518001 OffensiveTechniqueNode;
        class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "../../../dao/artifact/d3f:SystemConfigurationDatabaseRecord";
        click T1518001 href "../../../offensive-technique/attack/T1518.001/"; click SystemConfigurationDatabaseRecord href "../../../dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1518001["Security Software Discovery"] --> |may-access| SystemFirewallConfiguration["System Firewall Configuration"]; class T1518001 OffensiveTechniqueNode;
        class SystemFirewallConfiguration ArtifactNode; click SystemFirewallConfiguration href "../../../dao/artifact/d3f:SystemFirewallConfiguration";
        click T1518001 href "../../../offensive-technique/attack/T1518.001/"; click SystemFirewallConfiguration href "../../../dao/artifact/d3f:SystemFirewallConfiguration";                                                                 ContentQuarantine["Content Quarantine"] -->
          | quarantines | SystemConfigurationDatabaseRecord["System Configuration Database Record"];

          ContentQuarantine["Content Quarantine"] -.->
            | may-isolate | T1518001["Security Software Discovery"] ;
          class ContentQuarantine DefensiveTechniqueNode;
          class SystemConfigurationDatabaseRecord ArtifactNode;
          click ContentQuarantine href "../../../technique/d3f:ContentQuarantine";                                          SystemCallFiltering["System Call Filtering"] -->
          | filters | GetRunningProcesses["Get Running Processes"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1518001["Security Software Discovery"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class GetRunningProcesses ArtifactNode;
          click SystemCallFiltering href "../../../technique/d3f:SystemCallFiltering";              RestoreConfiguration["Restore Configuration"] -->
          | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];

          RestoreConfiguration["Restore Configuration"] -.->
            | may-restore | T1518001["Security Software Discovery"] ;
          class RestoreConfiguration DefensiveTechniqueNode;
          class SystemConfigurationDatabaseRecord ArtifactNode;
          click RestoreConfiguration href "../../../technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
          | restores | SystemFirewallConfiguration["System Firewall Configuration"];

          
          class RestoreConfiguration DefensiveTechniqueNode;
          class SystemFirewallConfiguration ArtifactNode;
          click RestoreConfiguration href "../../../technique/d3f:RestoreConfiguration";                           SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | GetRunningProcesses["Get Running Processes"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | may-detect | T1518001["Security Software Discovery"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class GetRunningProcesses ArtifactNode;
          click SystemCallAnalysis href "../../../technique/d3f:SystemCallAnalysis";

json